Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

PowerProtect Data Manager 19.11 Amazon Web Services Deployment Guide

PDF

Minimum AWS IAM role permissions for deployment

When deploying an AWS-based PowerProtect Data Manager instance, you can use IAM user roles assigned a minimum number of permissions to restrict user access. You can also use an IAM CloudFormation role assigned a minimum number of permissions to restrict CloudFormation access.

IAM user roles and permissions

The following table lists the minimum permissions that are required for the IAM user roles.

Table 1. Minimum permissions of IAM user roles required to deploy PowerProtect Data ManagerMinimum permissions of IAM user roles required to deploy PowerProtect Data Manager
Service Actions Resources Request conditions
EC2 All EC2 actions (*) All resources None
SNS 
ListTopics
GetTopicAttributes
 All resources None
Marketplace 
ViewSubscriptions
Subscribe
Unsubscribe
ListBuilds
DescribeBuilds
 All resources None
IAM 
Write PassRole
ListRoles
 All resources None
CloudFormation All CloudFormation actions (*) All resources None

The following JSON code can be used set these permissions: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aws-marketplace:ViewSubscriptions",
                "aws-marketplace:Subscribe",
                "aws-marketplace:Unsubscribe",
                "aws-marketplace:ListBuilds",
                "aws-marketplace:DescribeBuilds",
                "iam:ListRoles",
                "iam:ListInstanceProfiles",
                "sns:GetTopicAttributes",
                "sns:ListTopics"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "cloudformation:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
           ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com"
                    ]
                }
            }
        }
]
}

IAM PowerProtect Data Manager and DDVE roles

The following table lists where the PowerProtect Data Manager and DDVE roles are selected from when creating the CloudFormation stack.

Table 2. Selection of IAM PowerProtect Data Manager and DDVE roles during stack creationSelection of IAM PowerProtect Data Manager and DDVE roles during stack creation
Role CloudFormation template location
PowerProtect Data Manager CloudFormation > Stacks > Create stack > Configure stack options > PowerProtect Data Manager Instance and Network Configuration > IAM Role (Optional)
DDVE CloudFormation > Stacks > Create stack > Configure stack options > DDVE Instance Configuration > IAM Role for S3 access

IAM CloudFormation role and permissions

The AWS CloudFormation service deploys the PowerProtect Data Manager and DDVE instances. By default, this service uses the same roles and permissions as the logged-in user. These permissions can be changed by selecting an IAM CloudFormation role.

When you create the CloudFormation stack, the IAM CloudFormation role is selected from CloudFormation > Stacks > Create stack > Configure stack options > Permissions > IAM role name.

The following table lists the minimum permissions that are required for the IAM CloudFormation role.

Table 3. Minimum permissions of IAM CloudFormation role required to deploy PowerProtect Data ManagerMinimum permissions of IAM CloudFormation role required to deploy PowerProtect Data Manager
Service Actions Resources Request conditions
EC2 All EC2 actions (*) All resources None
IAM 
Write PassRole
ListRoles
 All resources IAM:PassedToService (StringLike ecs.amazonaws.com)

The following JSON code can be used set these permissions: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\